[Samba] Questions on Samba and LDAP failover

Fri Mar 26 06:15:12 MDT 2010

Gary Peck wrote:
> I have actually tired that and could not get that to work.  At least it 
> does not work on the version of samba that is bundled with Solaris 10 
> (3.0.37).
> 
> passdb backend = ldap:"ldap://ldap1.example.com ldap://ldap2.example.com"  
> --- This causes a core dump

oh, i mis-spelled ldap: instead of ldapsam:

> passdb backend = ldapsam:"ldap://ldap1.example.com 
> ldap://ldap2.example.com" smbpasswd username fails connecting to primary 
> ldap server and just errors out.

Hmm, what ldap library are you using? reading from the smb.conf
manpage:

>>>>>  -  ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to
>>>>>     ldap://localhost)
>>>>>
>>>>>     LDAP connections should be secured where possible. This may be done using either Start-TLS (see
>>>>>     ldap ssl) or by specifying ldaps:// in the URL argument.
>>>>>
>>>>>     Multiple servers may also be specified in double-quotes. Whether multiple servers are supported
>>>>>     or not and the exact syntax depends on the LDAP library you use.
>>>>>
>>>>>      Examples of use are:
>>>>>
>>>>>     passdb backend = tdbsam:/etc/samba/private/passdb.tdb
>>>>>
>>>>>     or multi server LDAP URL with OpenLDAP library:
>>>>>
>>>>>     passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"
>>>>>
>>>>>     or multi server LDAP URL with Netscape based LDAP library:
>>>>>
>>>>>     passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"

So it depends on your LDAP client library and the example I gave you is valid
for openLDAP, possibly not for yours, if it supports multiple servers at all.
You could try the second syntax ldapsam:"ldap://ldap-1.example.com ldap-2.example.com".

The bottom line is that the string between the quotes has to be a valid string
accepted by the ldap init routine of your library...

Cheers - Michael

> It seems to be the 3.0.22 release that I remember seeing a not that ldap 
> failover was deprecated for some reason.  The only way I have been able 
> to get any type of failover is setting up a DNS entry to round robin 
> between two Sun DS7 multimaster directory servers.
> 
> Thanks,
> 
> Gary
> 
> On 3/25/2010 3:16 PM, Michael Adam wrote:
> >Hi Gary,
> >
> >Gary Peck wrote:
> >   
> >>After trying multiple options in the smb.conf file the only way I could
> >>get fail over to work was having two ldap servers setup in a multimaster
> >>replication and having a DNS entry setup that round robins between the
> >>two.  Everything seems to work,  I can bring down one ldap server and
> >>samba will still authenticate and let users in.  Anybody know of any
> >>issues doing it this way?
> >>
> >>Thanks,
> >>
> >>Gary
> >>
> >>     
> >>>If I have read the documentation correctly, it looks like you can not
> >>>have a fail over LDAP server defined in the smb.conf file for the passdb
> >>>backend.  It looks like this feature was taken away in an earlier
> >>>release.  Is this correct?  If not could somebody steer me in the right
> >>>direction.
> >>>       
> >Is the question how to specify multiple ldap servers in smb.conf?
> >If so, here is the answer:
> >
> >    passdb backend = ldap:"ldap://ldap1.example.com 
> >    ldap://ldap2.example.com"
> >
> >I.e. put a spaces separated list of ldap urls into quotes.
> >
> >If that was not your question, please clarify.
> >
> >Cheers - Michael
> >   
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20100326/abd070f7/attachment.pgp>